From b2f6fbd9dd6db9288af02766f80eb85fc8e5dc1d Mon Sep 17 00:00:00 2001
From: Helmut Pozimski <helmut@pozimski.eu>
Date: Fri, 26 May 2017 21:21:41 +0200
Subject: [PATCH] jbig2dec: add patches for multiple CVEs

fixes CVE-2017-7885, CVE-2017-7975 and CVE-2017-7976.
Patches taken from the upstream ghostpdl git repository,
http://git.ghostscript.com/?p=ghostpdl.git
git revisions
b184e783702246e154294326d03d9abda669fcfa
ed6c5133a1004ce8d38f1b44de85a7186feda95e
5e57e483298dae8b8d4ec9aab37a526736ac2e97 and
73060a27e554f8e64ae2aba4a1b03822207346c7
---
 srcpkgs/jbig2dec/patches/CVE-2017-7885.patch | 13 +++++++++
 srcpkgs/jbig2dec/patches/CVE-2017-7975.patch | 15 ++++++++++
 srcpkgs/jbig2dec/patches/CVE-2017-7976.patch | 29 ++++++++++++++++++++
 srcpkgs/jbig2dec/template                    |  2 +-
 4 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/jbig2dec/patches/CVE-2017-7885.patch
 create mode 100644 srcpkgs/jbig2dec/patches/CVE-2017-7975.patch
 create mode 100644 srcpkgs/jbig2dec/patches/CVE-2017-7976.patch

diff --git a/srcpkgs/jbig2dec/patches/CVE-2017-7885.patch b/srcpkgs/jbig2dec/patches/CVE-2017-7885.patch
new file mode 100644
index 00000000000..9a8f2932dbc
--- /dev/null
+++ b/srcpkgs/jbig2dec/patches/CVE-2017-7885.patch
@@ -0,0 +1,13 @@
+diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c
+index 4acaba9..36225cb 100644 (file)
+--- jbig2_symbol_dict.c
++++ jbig2_symbol_dict.c
+@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+                 byte *dst = image->data;
+ 
+                 /* SumatraPDF: prevent read access violation */
+-                if (size - jbig2_huffman_offset(hs) < image->height * stride) {
++                if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) {
+                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride,
+                                 size - jbig2_huffman_offset(hs));
+                     jbig2_image_release(ctx, image);
diff --git a/srcpkgs/jbig2dec/patches/CVE-2017-7975.patch b/srcpkgs/jbig2dec/patches/CVE-2017-7975.patch
new file mode 100644
index 00000000000..1f7786edb3d
--- /dev/null
+++ b/srcpkgs/jbig2dec/patches/CVE-2017-7975.patch
@@ -0,0 +1,15 @@
+diff --git a/jbig2dec/jbig2_huffman.c b/jbig2dec/jbig2_huffman.c
+index 511e461..b4189a1 100644 (file)
+--- jbig2_huffman.c
++++ jbig2_huffman.c
+@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
+ 
+             if (PREFLEN == CURLEN) {
+                 int RANGELEN = lines[CURTEMP].RANGELEN;
+-                int start_j = CURCODE << shift;
+-                int end_j = (CURCODE + 1) << shift;
++                uint32_t start_j = CURCODE << shift;
++                uint32_t end_j = (CURCODE + 1) << shift;
+                 byte eflags = 0;
+ 
+                 if (end_j > max_j) {
diff --git a/srcpkgs/jbig2dec/patches/CVE-2017-7976.patch b/srcpkgs/jbig2dec/patches/CVE-2017-7976.patch
new file mode 100644
index 00000000000..84e7299b479
--- /dev/null
+++ b/srcpkgs/jbig2dec/patches/CVE-2017-7976.patch
@@ -0,0 +1,29 @@
+diff --git a/jbig2dec/jbig2_image.c b/jbig2dec/jbig2_image.c
+index 94e5a4c..00f966b 100644 (file)
+--- jbig2_image.c
++++ jbig2_image.c
+@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
+     /* general OR case */
+     s = ss;
+     d = dd = dst->data + y * dst->stride + leftbyte;
+-    if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
++    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
+     }
+     if (leftbyte == rightbyte) {
+
+
+diff --git a/jbig2dec/jbig2_image.c b/jbig2dec/jbig2_image.c
+index 661d0a5..ae161b9 100644 (file)
+--- jbig2_image.c
++++ jbig2_image.c
+@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
+     /* general OR case */
+     s = ss;
+     d = dd = dst->data + y * dst->stride + leftbyte;
+-    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
++    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
++        s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
+         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
+     }
+     if (leftbyte == rightbyte) {
diff --git a/srcpkgs/jbig2dec/template b/srcpkgs/jbig2dec/template
index 9d80632e7c9..bd60c7059bd 100644
--- a/srcpkgs/jbig2dec/template
+++ b/srcpkgs/jbig2dec/template
@@ -1,7 +1,7 @@
 # Template file for 'jbig2dec'
 pkgname=jbig2dec
 version=0.13
-revision=1
+revision=2
 build_style=gnu-configure
 makedepends="libpng-devel"
 short_desc="Decoder implementation of the JBIG2 image compression format"